From aa8c142b5e1d126b9a5a8e4a6638bc785292fbc2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 8 Oct 2009 00:39:40 +0200 Subject: s3-netlogon: allow to change any type of trust account password in trust_pw_find_change_and_store_it(). Guenther --- source3/libsmb/trusts_util.c | 45 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 6 deletions(-) (limited to 'source3') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index e201814163..1e2460cfcc 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -37,6 +37,14 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m char *new_trust_passwd; NTSTATUS nt_status; + switch (sec_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_DOMAIN: + break; + default: + return NT_STATUS_NOT_SUPPORTED; + } + /* Create a random machine account password */ new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); @@ -61,8 +69,33 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m * Return the result of trying to write the new password * back into the trust account file. */ - if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) { - nt_status = NT_STATUS_UNSUCCESSFUL; + + switch (sec_channel_type) { + + case SEC_CHAN_WKSTA: + if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) { + nt_status = NT_STATUS_UNSUCCESSFUL; + } + break; + + case SEC_CHAN_DOMAIN: { + char *pwd; + struct dom_sid sid; + time_t pass_last_set_time; + + /* we need to get the sid first for the + * pdb_set_trusteddom_pw call */ + + if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) { + nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE; + } + if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) { + nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION; + } + break; + } + default: + break; } } @@ -81,16 +114,16 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, { unsigned char old_trust_passwd_hash[16]; uint32 sec_channel_type = 0; + const char *account_name; - if (!secrets_fetch_trust_account_password(domain, - old_trust_passwd_hash, - NULL, &sec_channel_type)) { + if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name, + &sec_channel_type)) { DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain)); return NT_STATUS_UNSUCCESSFUL; } return trust_pw_change_and_store_it(cli, mem_ctx, domain, - global_myname(), + account_name, old_trust_passwd_hash, sec_channel_type); } -- cgit